Make Money Ads - Detecting Network Sniffers

Overview

Computers can be placed in promiscuous mode and made to accept messages even if they are not meant for them -- this is how a Sniffer works, however. Computers ignore messages except those that were sent directly to them (or broadcast to all hosts on the network), in practice. Most networks use broadcast technology -- messages for one computer can be read by another computer on that network. Sniffers work because ethernet was designed to be shared. Smtp-auth and nntp, ftp, imap, pop3, vulnerable protocols (with clear-text passwords) include: telnet. Malicious intruders may install packet sniffers in order to retrieve clear-text usernames and passwords from the local network or other vital information transmitted on the network, on the other hand. ). Etc, performance analysis, sometimes such wiretaps are carried out by the network administrator for beneficial purposes (like intrusion detection. A packet sniffer is a program or device that eavesdrops on network traffic and gathers data from packets.

Computers connected to switches are just as vulnerable to sniffers as those connected to a hub. People assume that computers connected to a switch are safe from sniffing -- but this is not really so.

How a Sniffer works

This MAC address is then used by the source machine in all its communications with the destination machine. This MAC address then gets added to the source machines ARP Cache. The machine with that IP address responds to the source machine with its MAC address. The Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network, if no MAC entry is found for the IP address. Called the ARP cache, layer 3 attempts to look-up the MAC address of the destination machine in a table. The Network Layer (layer 3 of the OSI model) is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. The Data Link Layer (layer 2 of the OSI model) uses an ethernet header with the MAC address of the destination machine. Which is used by applications, the other is the IP address. The MAC address is used by the ethernet protocol when building frames to transfer data. A computer connected to a LAN has 2 addresses -- one is the MAC address that uniquely identifies each node in a network and which is stored on the network card.

Difficult to detect, hence, sniffing in a shared ethernet environment is passive and. Such a machine is said to have been put into promiscuous mode and can effectively listen to all the traffic on the network. A machine running a sniffer breaks this rule and accepts all frames. The frame is quietly discarded, if the two don't match. All the computers on the shared ethernet compare the frame's destination MAC address with their own. In such an environment packets meant for one machine are received by all the other machines. In a shared ethernet environment all hosts are connected to the same bus and compete with one another for bandwidth. There are two basic types of ethernet environments -- shared and switched.

This does not mean that switched networks are secure and cannot be sniffed, however. The process of putting a machine into promiscuous mode to gather packets does not work, as a result. The switch is an intelligent device which sends packets only to the destination computer. The switch maintains a table that keeps track of each computer's MAC address and the physical port on the switch to which that MAC address is connected. In a switched environment the hosts are connected to a switch instead of a hub.

You can use the following methods to sniff on a switch: though a switch is more secure than a hub,

Another trick that can be used is to poison a host's ARP cache by setting the gateway's MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast MAC). All the traffic destined for the gateway will pass through the sniffer machine, from this point on. The ARP cache of the targeted host will now have a wrong entry for the gateway and is said to be Poisoned. One technique is to ARP Spoof the gateway of the network, for example. And such a reply will be accepted, you can send an ARP reply even if none has not been asked for, that is, * ARP Spoofing -- The ARP is stateless.

Once that happens sniffing can be performed easily. At which point it starts acting as a hub by broadcasting packets to all the machines on the network, the switch then enters into what is known as a `failopen mode'. MAC flooding makes use of this limitation to bombard a switch with fake MAC addresses until the switch can't keep up. The switch has a limited amount of memory for this work. This allows them to intelligently route packets from one host to another. * MAC Flooding -- Switches keep a translation table that maps MAC addresses to physical ports on the switch.

Detecting Sniffers on the Network

When installed on a computer a sniffer does generate some small amount of traffic -- which allows for its detection using the following types of techniques: It is easy to detect a sniffer when installed on a switched network, however. A sniffer is usually passive -- it just collects data -- and is especially difficult to detect when running in a shared Ethernet environment.

But if the suspect machine is running a sniffer it will respond since it accepts all packets. Nobody should see this packet as each ethernet adapter will reject it as it does not match its MAC address, ideally. * Ping Method -- a ping request is sent with the IP address of the suspect machine but not its MAC address.

Only a machine which has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. But a different MAC address, we send a broadcast ping packet with our IP, next. We send a non-broadcast ARP so only machines in promiscuous mode will cache our ARP address, here. MAC addresses). * ARP Method -- this method relies on the fact all machines cache ARPs (i.e.

There are utility programs that can be run which report whether the local machine's network adapter has been set to promiscuous mode. * On Local Host -- if a machine has been compromised a hacker may have left a sniffer running.

This difference in response times can be used as an indicator of whether a machine is in promiscuous mode or not. Therefore it will take additional time to respond to a ping packet. Thereby increasing the load on that machine, * Latency Method -- is based on the assumption most sniffers do some kind of parsing.

* ARP Watch -- to prevent a hacker from ARP spoofing the gateway there are utilities that can be used to monitor the ARP cache of a machine to see if there is duplication for a machine.

How To Protect Against Sniffing

To prevent this from happening it is suggested the MAC address of the gateway be permanently added to each host's ARP cache. The machine that the hacker will most likely ARP-spoof is the default gateway. The chances are ARP spoofing will be used for sniffing purposes, on a switched network, also. It will ensure the data collected by sniffers is un-interpretable, while this won't prevent sniffers from functioning. The best way to secure a network against sniffing is to use encryption.

Additional suggestions include:

* Use SSH instead of telnet.

* Use HTTPS instead of HTTP (if the site supports it).

Pretty Good Privacy (www.gnupg.org) can be used for encrypting and signing emails to prevent others from reading them, also. Which uses SSL to ensure that data is not read in transit, try a service such as Hushmail (www.hushmail.com), * If concerned about email privacy.

It is an application package used to remotely monitor computers on local networks to locate network interfaces operating in a promiscuous mode. Security) Institute, network, audit, the software package PromiScan is considered the standard sniffing node detection tool and is recommended by the SANS (SysAdmin, for example. * Employ a sniffer detector.